Azure Login Explicitly Denied MFA

Set up the azure integration.

Goal

Detect and identify the network IP address when multiple user accounts failed to complete the MFA process.

Strategy

Monitor Azure Active Directory Sign-in logs and detect when any @evt.category is equal to SignInLogs, @properties.authenticationRequirement is equal to multiFactorAuthentication and @evt.outcome is equal to failure.

Triage and response

  1. Inspect the log and determine if this was a valid login attempt.
  2. If the user was compromised, rotate user credentials.